The rise of sophisticated BEC scams in the finance industry

For all the talk of insider threats, cryptojacking and ransomware, I believe that one of the biggest cyber security challenges facing the finance industry in 2019 will be mitigating the elevated risk of Business Email Compromise (BEC) attacks. These attacks involve cybercriminals imitating known contacts, usually C-level executives, in order to trick individuals into wiring payments and funds into alternate bank accounts.

BEC scams are rife in finance due to the high frequency and large sums of money transferred between organisations. They’re also popular because the returns are often much higher than that of typical email phishing scams.

Modern BEC attacks are incredibly effective, since hackers are getting better at creating more elaborate campaigns and covering their tracks to evade detection. To improve the effectiveness of their communications, cybercriminals will meticulously research supply chains, follow company news and events, track social media channels, and even learn employee routines.

Worse still, these types of attacks commonly go unreported, which means many businesses don’t realise the full scale of the problem. The truth is that they are quickly becoming ubiquitous.

The Redscan team recently uncovered a good example of a particularly sophisticated BEC; an insurance company specialising in high value business mergers and acquisitions had been the victim of a data breach and asked us to investigate.

Despite conducting regular staff training and maintaining a high level of preventative security controls, the firm nearly found itself as the conduit for sophisticated scam. The attack sought to trick one of its clients into paying £300,000, owed in relation to two outstanding invoices, into a substitute bank account.

Fortunately, the attack was foiled before any payments were made -a vigilant staff member from the client company had insisted on seeking verbal verification of the substitute banking details supplied -the firm was keen to understand the extent of the compromise and how to safeguard against similar threats. It consequently sought the help of a specialist cyber security company to conduct a full forensic investigation and provide remediation support.

Tracing the source and ‘kill chain’ of the attack

The initial focus of the cyber investigation was email logs relating to the Office 365 account suspected as being used to instigate the fraud. The team quickly identified that six weeks prior to the BEC attack, a senior member of staff had had their corporate account compromised after receiving an email, purporting to be an official security alert from Microsoft, which requested that the user login to their account to review suspicious login activity.

Subsequent analysis revealed that, following the original phishing attack, hundreds of Office account login attempts were initiated from a range of malicious IP addresses originating from Nigeria, China and the UAE, from where a number of successful logins were made.

With full access to the user’s Office account, the attacker created mailbox rules designed to scan all incoming emails for keywords, moving interesting items to a hidden folder within Outlook, from where they were promptly deleted. The team later discovered that the attacker had also set up an email rule to auto-forward all incoming and outgoing emails to an external Gmail address.

Over the course of a week following detection of the attack, the email forward had delivered more than 280 emails to these fraudulent accounts, resulting in the unauthorised disclosure of highly confidential client details and payment information.

One email thread to capture the attention of the attacker was related to the billing of two high value invoices, which had been raised by the insurance firm to its client. With a target identified, the attacker set about sending a chain of spoof emails, which requested payment of the invoices to an alternate bank account. In one of the emails, the attacker offered to call the client to provide additional verification. The source of the spoofed emails was a domain set up to closely resemble that of the insurance firm.

How to respond and mitigate BEC attacks

This case study is a great demonstration of how far cybercriminals will go to deceive their targets. The BEC attack was very close to achieving its objectives and would have done so had it not been for a diligent employee insisting on seeking telephone approval prior to processing payments.

Verbal authorisation might seem like an obvious mitigating control, but it’s not one enforced by many companies. One of the most famous financial sector breaches in recent years, the $1bn Bangladesh Bank cyber heist, was due in part to the fact sufficient protocols for checking payment transfers were not in place.

To mitigate the risk of BEC attacks, firms should implement a range of controls and processes to not only prevent these types of scams, but also detect and respond to them as quickly as possible. In the wake of the attack, the M&A firm’s IT team was advised to enforce multi-factor authentication across all user accounts as well as activate full mailbox audit logging in Office 365 to increase visibility of anomalous activity such as failed sign in attempts and policy violations. A review of the company’s security training programme was also recommended.

For organisations that want to further reduce security risk, SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) tools are highly recommended to help improve threat visibility across on-premise and cloud environments.

Following recent news from the FCA that a third of finance firms do not conduct regular security assessments such as penetration testing, more must also be done to regularly evaluate the effectiveness of security controls and identify security vulnerabilities in response to common attack scenarios. Simulated engagements can also help to raise employee cyber awareness.

Every year seems to bring new security risks for finance firms. You can bet that 2019 will be more of the same, and that mitigating the risk of BEC attacks will continue to pose significant challenges.